New WebAuthn standard will attempt to eliminate passwords

The FIDO Alliance and W3C are working towards stronger authentication to protect the web

Passwords suck. There seems to be little consensus about best practices when it comes to passwords. Make them difficult to guess. Use long strings of random characters. Never re-use the same passwords. Rotate passwords regularly. No, don’t rotate passwords—that’s not safe. Passwords suck, but they are a fact of life when it comes to computers and the internet.

But maybe not for much longer.

The FIDO (Fast ID Online) Alliance and the Worldwide Web Consortium have announced a new standard that could replace passwords. Web Authentication (WebAuthn) is the result of a collaboration between the FIDO Alliance and W3C based off FIDO Web API specifications. WebAuthn has officially been moved to the Candidate Recommendations stage, which is a precursor to final approval.

What is WebAuthn?

WebAuthn is a standard web API that integrates with browsers and web platform infrastructure and gives users new methods to securely authenticate themselves on the internet.

“With the new FIDO2 specifications and leading web browser support announced today, we are taking a big step forward towards making FIDO Authentication ubiquitous across all platforms and devices,” said Brett McDowell, executive director of the FIDO Alliance. “After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications.”

Here’s how it works. Rather than try to remember a difficult password for each different website, application or platform you’re attempting to access, users can instead rely on their biometrics, or a device in their possession, using Bluetooth, USB or NFC to authenticate instead.

“Security on the web has long been a problem which has interfered with the many positive contributions the web makes to society. While there are many web security problems and we can’t fix them all, relying on passwords is one of the weakest links. With WebAuthn’s multi-factor solutions we are eliminating this weak link,” stated W3C CEO Jeff Jaffe. “WebAuthn will change the way that people access the Web.”

What are the benefits of WebAuthn?

The WebAuthn API can be integrated with browsers and other kinds of web infrastructure. It enables powerful, unique public key-based credentials for each platform, which eliminates the risks inherent with password usage. Basically any application running in a browser on a device with a FIDO authenticator can make calls to the WebAuthn API to enable authentication.

Simpler Authentication – With a single gesture a user can authenticate themselves using a number of methods like biometrics, security keys and device-to-device authentication.

Better Authentication – User credentials and biometrics are stored locally, never on someone else’s servers. It’s also much harder to compromise authentication when it’s done this way.

New options for Developers – Now developers can leverage FIDO authentication to better secure their apps and platforms.

Image courtesy of FIDO Alliance and W3C

Are passwords really dead?

No. Although this is an exciting new standard, it will likely be at least a few years before widespread adoption. And that’s contingent on the standard actually sticking.

That being said, this is a much needed advancement for web security. Right now, in 2018, you can’t swing a dead cat at a security convention without hitting a keynote speaker presenting a password hacking talk. The technology used to hack passwords, typically with brute force, is advancing rapidly and with quantum computing on the horizon, it’s only going to keep getting easier. And faster.

Be the first to comment

Author

Hashed Out's Editor-in-Chief started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. He also designs the visuals for Hashed Out and serves as the Content Manager for The SSL Store™.